How to properly disable Jamf Connect password syncing once logged in with Google account

Question

Hi everyone,I need help understanding the correct way to disable password sync in Jamf Connect while still using Google Workspace authentication during ADE enrollment.Our current setup (Jamf Connect + Google Workspace + ADE) behaves like this:	During initial login, the user signs in with their Google Workspace account			Jamf Connect creates the local macOS user account based on the Google workspace account (First name and Last name)			The initial local mac password is set to the Google password			If the user later changes their Google password, Jamf Connect detects a mismatch and prompts:“Your local password and network password are different. Please enter your local password to sync.”			Once the user enters it, the Mac password gets updated to match the new Google password	What we want instead:	Users authenticate with Google Workspace ONLY for the first login			Jamf Connect creates the local account			After that, the macOS password and Google password must be completely independent			No password sync, no mismatch prompts, no forced alignment, users should be able to change the Mac login password as they like.	Would really appreciate guidance or an example configuration from anyone running this “Google login + no password sync” workflow on ADE Macs.Thanks in advance!

h1431532403240 · Answer

Yes, this is achievable. The key insight is that Jamf Connect Login Window (OIDC) will always require Google authentication on every login — so to allow users to log in with only their local password afterward, you need to completely remove the Jamf Connect Login Window after account creation.

Solution: Use Jamf Connect only for initial account provisioning, then fully uninstall it.

Step 1: Login Window Configuration (com.jamf.connect.login)

<key>OIDCNewPassword</key>
<true/>

This prompts users to create a separate local password during initial account creation instead of reusing the Google password.

Step 2: Completely uninstall Jamf Connect Login Window after account creation

Create a Jamf Pro policy:

Trigger: Recurring Check-in or Login
Scope: Smart Group where user account already exists
Execution Frequency: Once per computer
Scripts: Run the following script:

#!/bin/bash

# Step 1: Reset authentication database (MUST be first)
/usr/local/bin/authchanger -reset

# Step 2: Remove Jamf Connect Login Window files
rm -f /usr/local/bin/authchanger
rm -f /usr/local/lib/pam/pam_saml.so.2
rm -rf /Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle

# Step 3: Remove login window preferences
rm -f /Library/Preferences/com.jamf.connect.login.plist

exit 0

Step 3: Remove computer from Configuration Profile scope

After account creation, exclude the computer from the com.jamf.connect.login Configuration Profile scope using a Smart Group. This prevents the profile from reapplying settings.

Step 4: Don't deploy password sync components

Don't deploy the Jamf Connect menu bar app (Self Service+) or Google Secure LDAP certificate. Without these, there's nothing to trigger password sync prompts.

Result:

First login → Google OIDC via Jamf Connect → User creates separate local password
Subsequent logins → Native macOS login window → Local password only
No password sync, no mismatch prompts, no risk of Jamf Connect re-enabling

Reference: Uninstalling Jamf Connect | Initial Local Password Creation

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded